Reference Policy Interface and Template Naming Conventions

All Reference Policy interfaces and templates should use the following naming convention.

modulename[_modifier]_verb_predicate()
modulenameThe name of the module, or for modules with long names, an abbreviation of the module name. If an abbreviation is used, it must be consistent throughout the module. e.g., apache, samba, and corenet (for corenetwork).
modifierDescribe variations of a common interface. The most common use is the modifier dontaudit. (optional)
verbDescribes the action/access, e.g., read or write
predicateA noun with zero or more adjectives which defines which object being referenced in the module. In few cases this can be ommitted, when it is clear what object is being referenced. Usually this is the case when there is only one domain in a module, e.g., dmesg_domtrans().

Common File Interface Elements

These are applicable for all file object classes (file, lnk_file, sock_file, fifo_file, blk_file, chr_file).

Verbs
getattrGet the attributes of an object, such as stat().
setattrSet the attributes of an object, such as chmod().
readRead an object.
appendAppend only to an object.
writeWrite an object.
rwRead and write an object.
createCreate an object.
deleteDelete an object.
manageCreate, read, write, and delete an object.
relabelfromRelabel from the object's type
relabeltoRelabel to the object's type
relabelRelabel to and from the object's type
execExecute a file in the caller's domain (no domain transition; file only).
Predicates
filesOrdinary files
symlinksSymbolic links
pipes(Un)named Pipes/FIFOs
sockets(Un)named sockets for unix domain sockets.
chr_filesCharacter device nodes
blk_filesBlock device nodes

Common Directory Interface Elements

Verbs
getattrGet the attributes of a directory.
setattrSet the attributes of a directory.
searchSearch a directory, but not get a list of directory entries.
listRead the list of directory entries.
rwAdd and remove directory entries.
manageAdd and remove directory entries, create and delete directories.
mountonFilesystems can be mounted on this directory.
Predicates
dirsDirectories

Common Process Interface Elements

Verbs
sigchldSend a SIGCHLD signal.
sigstopSend a SIGSTOP signal.
signullSend a null signal.
killSend a kill signal (SIGKILL).
domtransExecute a program and perform a domain transition.
runExecute a program and perform a domain transition. Allow the target domain to read and write the specified terminal, and allow the specified role the target domain. This is used with interactive programs.
Predicates
The predicate of process interfaces usually is the common name of the domain, e.g., smbd or nmbd.

Common Networking Interface Elements

Modifiers
tcpInternet domain TCP sockets
udpInternet domain UCP sockets
rawInternet domain raw IP sockets
streamUnix domain stream sockets
dgramUnix domain datagram sockets
Verbs
sendSend network traffic on the network object.
receiveReceive network traffic on the network object.
sendrecvSend and receive network traffic on the network object.
bindBind a socket to a port or node.
connectConnect to another process or port.
Predicates
ifNetwork interfaces
nodeNetwork nodes
portNetwork ports
packetsNetwork packets

Common Filesystem Interface Elements

Verbs
getattrGet the attributes of the filesystem
mountMount the filesystem
unmountUnmount the filesystem
remountRemount the filesystem (change mount options)
associateAssociate a file type to the filesystem
Predicates
The predicate of filesystem interfaces is usually the filesystem type, e.g., tmpfs or cifs.